Japanese Hotel Chain Notifies 125K Guests of Software Provider Breach

A Japanese hotel chain company notified approximately 125,000 guests about a data breach that affected one of its software providers.

On 26 June, Prince Hotels & Resorts published a statement on its website explaining that its reservations system in English, Simplified Chinese, Traditional Chinese and Korean was affected by an instance of unauthorized access.

The hotel chain company said the incident could have exposed the personal information including names, addresses, email addresses and booking details of 58,003 guests who stayed at 43 of its hotels between May 2017 and June 2018. It disclosed the event might have also affected the payment data of 66,960 guests who made reservations and confirmed reservation through its system for international guests at 39 of its locations before August 2017.

As of this writing, Prince Hotels & Resorts did not find evidence suggesting someone had misused these affected guests’ information. It still took the steps to notify the Personal Information Protection Commission, a Japanese government entity which is responsible for protecting people’s personal information. It also reassured customers that it’s committed to keeping them updated about the incident. As quoted in its notice:

We are working diligently to address this issue and our priority will continue to be doing what is right for our Guests. We are committed to sharing additional information on this ongoing investigation with our Guests as we learn more.

Prince Hotels & Resorts said in its statement that the instance of unauthorized access took place at FastBooking, a digital services provider for 4,000 hotels worldwide. FastBooking detected an intrusion into its systems on 19 June, reported Bleeping Computer. That incident is thought to have compromised guests’ personal information and/or payment details at 380 Japanese hotels alone, with additional hotels worldwide likely affected.

FastBooking responded by contacting each affected hotel, including Prince Hotels & Resorts, and providing them with a template to notify affected guests as well as relevant data protection entities.

News of this incident follows a few weeks after HR software provider PageUp said that a malware infection might have exposed user data including personal and account information. That incident similarly sparked a flurry of data breach notifications among affected clients.